Elementary,Did You Say?
Babu reveals another thing. While logically, partitioning the enterprise-wide network into VLANs is now elementary, it is still not very fashionable to put in a layer of security between these various VLANs. Some organizations have done that, but it is still not very prevalent. When implemented, this would amount to a perimeter security for each department of the organization, and it would provide security to the way it communicates with the other departments of a particular organization. This is mostly being done by the IT/ITeS environments, where a single organization does project for multiple groups or multiple principals and then builds security for each of these groups independently. Babu adds that there are organizations with evolved security culture. These organizations have drilled-down layered architecture.

Hayath agrees, but has a slightly different take on the situation. He says, "The BFSI segment is pretty much aware on the security standpoint. They have a lot of RBI regulations and everything there is about money. So, security obviously matters. Even in the remotest branches they have routers, which can carry out security management-right from identity and access rights to IP Sec VPN, SSL VPN, 802.1x. As they stand now, they have the right security infrastructure in place." But, as pointed out by InsightExpress, authorized users are prone to unauthorized activity. Therefore, they too need to upgrade to access control solutions.

Is Perimeter Security Passé?
The concept of secure and unsecured zone of a network is no more relevant as every point has to be secured; that is the direction we are moving towards, says Babu. Security has to be at every entry point. If a laptop is connected to a LAN, that is an entry point; if it is connected to a wireless hotspot in a cafe, that is an entry point; and if somebody is entering the network over the Internet or a leased line, that is an entry point. Every entry needs to be secured. It can no longer be said that it is secure if it is connected to LAN.

Managed Security
Obviously, providing enterprise security is not the core business of most enterprises. While this increasing need for security bodes well for the business of managed security, the close integration of the enterprise network with WAN seems to make a strong case for managed security offerings from telecom/Internet service providers. This offering could not only be targeted at the remote workers of large enterprises, but also at providing a complete security solution to the SMEs and large SOHOs. The beauty does not end here. A large enterprise is already a mini telco in terms of the users to whom it provides connectivity, and scaling it further to provide the telco's subscribers is not going to be too difficult either, he says. The enterprise-level security solutions can be used by the service provider, and the CSA can be pushed to the laptop by the SP. From a NAC perspective, you just need to scale it up to hundreds of thousands of NAC clients.

The managed security service providers are also taking a step forward by proactively monitoring the risks, which may attack the network in the future. This could be done through NAC/UAC-like solutions, which may get integrated as a service component, in addition to the management and monitoring of the firewall.

NGN: How Much More Security?
"If proper care is taken, enterprise NGNs will only require an incremental investment in security", Babu says. A converged network will carry voice and data applications, maybe even video, with users connecting from all over the network and the Internet with a host of end terminals and even PDAs.

For securing voice applications, soft-switches and end IP phones need to be secured in real time. IP Sec would no longer be sufficient. Encryption would be required on the wireless side, and SSL VPN for handhelds. Bandwidth will increase, so more equipment, probably with higher capacities, will have to be brought in. But important is, enterprises do not need to rip off their existing security investment.

New equipment would be required to handle applications like voice or IPTV. But, when traffic increases, there will always be a new site that would have less traffic and the older equipment could be relocated there. Alternately, as the traffic increases, smaller and more concentrated sub-groups could be created. For example, if one box can cater to 100 users of fast Ethernet, tomorrow the users move to gigabit Ethernet. In such a case, these 100 users can be broken into 3 different VLANs, explains Babu. This would ensure that the existing investment in the Fast Ethernet switch is conserved.

Security implementations, however, have usually been driven by compliance pressures. The good news is that most compliance regulations don't require a particular type of deployment or even an architecture. Compliance requires the ability to secure a network and its applications, and solutions, in a manner that it should be possible to give you an audit of the traffic going through it, says Babu. Whether that audit trail is created using application-level security or by implementing gateway security at the VLANs, at the end of the day, it should facilitate us to know the following: who accessed what, when, and was he authorized to access it and what did he do with that access. The idea is, even if you have a valid ticket to the airport, it does not grant you access to the control tower. IT has shown the way to many verticals in the country; it certainly can show the way to others too.

Alok Singh
aloksi@cybermedia.co.in